TCP connection protocol was reported to be vulnerable to SYN flooding attack in 1996 [4]. This is one of the well-known DoS attacks against a network protocol.
A Denial-of-Service Resistant Public-key Authentication and Key Establishment Protocol Chun-Kan Fung and M.C. Lee The Chinese University of Hong Kong, Shatin, N.T., Hong Kong {ckfung, mclee)@cse.cuhk.edu.hk Abstract Network denial-ofservice attacks, which exhaust the server resources, have become a serious security threat to the Internet. Public Key Infrastructure (PU) has long been introduced in various authentication protocols to verifL the identities of the communicating parties. Although the use of PKI can present dijjculty to the denial-of service attackers, the underlying problem has not been resolved completely, because the use of public-key infrastructure involves computationally expensive operations such as modular exponentiation. An improper deployment of the public-key operations in a protocol allows the attacker to exhaust the server's resources. This paper presents a public-key based authentication and key establishmentprotocol integrated with a sophisticated client puzzle, which together provides a good solution for network denial-ofservice attacks, and various other common attacks. The joint establishment of session keys by both the client and the server protects the session after the mutual authentication. The basic strategv to protect against denial of service is to impose an adjustable cost on the attacker while launching the attacks, The proposed client puzzle protocol can also be integrated with other network protocols to protect against denial-ofsewice attacks.
1
Introduction
Denial-of-Service@OS) attack is characterizedby an explicit attempt of the attackers to prevent legitimate users of a service from using that service [ 11. There has been a growing concern about this attack in recent years, especially after the series of denial-of-service attacks on the Internet on February 2000 [2]. Denial-of-Serviceattacks can be classified into three types. These include (i) consumptionof scarce resources; (ii) destructionor alteration of configurationinformation; and (iii) physical destruction or alteration of network components [l]. Any protocol where the server commits extensive computations or memory allocation prior to or as a part of client authentication is vulnerable to network DoS attacks [3], which corresponds to the first type of denial-of-service attack above. The basic strategy in handling the denial-of-service attack is that the server
0-7803-7371-5/02/$17.00 02002 IEEE
should require the client to commit its resources before extensive resources could be committed to the client in an authenticationprotocol session. TCP connection protocol was reported to be vulnerable to SYN flooding attack in 1996 [4]. This is one of the well-known DoS attacks against a network protocol. During the attack, the attacker sends a huge number of SYN messages to the server to initialize connections and then leaves the subsequently established connections unattended. Since the server allocates buffer space after the reception of a SYN message, memory of the server can thus easily be exhausted by such connection requests. Juels and Brainard [5] pointed out that the SSL protocol [6] is vulnerableto a similar form of attack. However, it is the CPU resource rather than the memory space, which could be exhausted rapidly because expensive cryptographic operations are required on the server-side in the SSL protocol. Entity authentication has long been used in communication protocols to tackle different attacks, e.g. the man-in-the-middle attack. Authentication based on the public-key infrastructure is computationally expensive, as the underlying cryptographic operations such as the modular exponentiation involve extensive computations. An attacker may be able to exhaust the computational or memory resources of its target if the underlying authentication or communication protocol is improperly designed. For instance, Ng and Tan's protocol [7] is one that is vulnerable to the resource consumption attack; the server is required to perform public-key decryption right after the reception of the client request message in this protocol. There are several other protocols identified as being vulnerable to this type of attack [SI [9] [lo]. Cookies could be used to formulate solutions against the network denial-of-service attack. A cookie would be generated and sent to the client by the server in response to a client request. The client must include the cookie in subsequent messages to assure the server of its identity. The cookie approach assumes the inability of the attackers in capturing messages sent to spoofed IP addresses, so that the attackers cannot return the cookie in subsequent messages. However, message interception is relatively easy especially within an internal network. ISAKMP [ll] is a key management protocol employing
171
cookies to prevent IP spoofing and TCP SYN attacks. However, this protocol has been identified as vulnerable to denial-of-serviceattack and has been criticized for its improper usage of server resources [12] [13]. Karn and Simpson later proposed Photuris [14], a simpler but stronger scheme with cookies, which is able to avoid the defects in ISAKMP. Aura and Nikander [15] generalizes the concept of stateless connection to prevent resource exhaustion, and introduces the transformation of stateful protocols to stateless ones. The saving of state information can be avoided by attaching the state data to the messages sent to the client; and the state data is expected to be returned to the server in subsequent messages. The cost of this technique is the additional communication bandwidth required to transfer the state data between the client and the server. Also, Aura and Nikander have admitted that the presented technique has the problem of not being able to detect replayed messages. Dwork and Naor first introduced the concept of client puzzle to combatjunk mail attack [161. A client puzzle is a small cryptographic problem created by the server in response to a client request. The client should first commit its resources to solving the puzzle before completing the remaining part of the communication protocol. While the legitimate users could experience only a slight degradation of service under this scheme, a big cost will be imposed on a denial-of-service attacker who tends to create a huge number of requests within a short duration, because the attacker is required to solve a unique puzzle for each of its service requests. Unlike the cookie approach, client puzzle does not assume the inability of the attacker to capture messages sent to spoofed IP addresses. With appropriate adjustment on the puzzle difficulty level, the client puzzle method can handle relatively fast attacks and allow for graceful service degradation. Aura, Nikander and Leiwo [17] proposed a client puzzle and applied it to an authentication protocol. The authentication protocol has two operation modes. In one mode, the puzzle is broadcast by the server to all possible clients of the protocol; this creates unnecessary network traflic. In the second mode, the server is required to produce a public-key based signature after the reception of a hello request message from a client; this makes the protocol vulnerable to denial-of-service attack as public-key operations are computationally expensive. Besides, the client puzzle used has an inherent problem that the solution to a puzzle may not exist since the protocol does not venfy the existence of a solution during puzzle construction. A later authentication protocol designed also by Aura, Nikander and Leiwo [3] employs a puzzle without the above problem. However, similar to the approach proposed by Matsuura and Imai [101, the puzzle does not have a difficulty level; so gracefid degradation of service would not be possible. The authentication
protocol is also vulnerable to denial-of-service attack because the puzzle is not created in a stateless way. Juels and Brainard [5] from the RSA Laboratories proposed a client puzzle protocol to address the TCP SYN attack. This client puzzle protocol does not have the above-mentionedproblems; however, there are still other identified defects. In this paper, we propose a much-enhancedversion of the client puzzle protocol of Juels and Brainard [SI.The defects in Juels and Brainard's protocol will be identifed and removed from our client puzzle solution. In addition, a public-key based authentication and key establishment protocol integrated with our client puzzle protocol would be proposed. The paper further demonstrates how the proposed integrated authentication protocol can resist effectively the network DoS attack and other types of common attacks.
2
An Improved Client Puzzle Protocol This section presents our client puzzle protocol for
handling the denial-of-serviceattacks. This client puzzle can be added on top of an existing network protocol in order to protect the protocol against network DoS attacks.
2.1
Protocol Descriptions
Consider the use of our client puzzle to protect a protocol M against the network denial-of-service attacks. To initiate the execution of the protocol M, the client submits its unique identity C in the form of a request message to the server. The server then checks the availability of system resources in order to determine the dif€iculty level k of the client puzzle to be sent out. The resource availabilitymay refer to the availability of memory or CPU resource or both. Normally, the difficulty level is inversely proportional to the availability of the system resources, allowing a graceful degradation of services during the denial-of-service attacks. In a normal situation, k is set to zero, and no puzzle needs to be solved by the clients. After the determination of the difficulty level, the puzzle would be constructed using two one-way, collision-resistanthash operations.First, a bit-string z l is generatedby the hash operation h(C, s, f), where the hash function h would operate on a single input bit-string formed by the concatenation of the parameters C, s and r. Then a second hash operation is performed on z l to produce another bit-string z2. The client identity C is included in the hash input to make the puzzle client specific so that a solution, for a given puzzle, found by one client cannot be used by other clients. Parameter s is the server secret key, which should be long enough (e.g. 128bits) to prevent brute force attacks. In order to impose a limit time for solvingthe puzzle by the client, the puzzle should be associated with a timestamp, f, which is set to the current date and time with a precision up to a second.
172
The client needs to solve the puzzle before it expires; otherwise, the protocol execution will be terminated no matter whether the returned solution is correct or not. Assume the hash output is of length L bits. The puzzle is made up of the hash image 22, the partial pre-image zl, i.e. the (k+l)" to the L" bits of zl, the timestamp f and the difticulty level k. In this way, the puzzle can be constructed in a totally statelessfashion. It is important to commit as little resource as possible in the constructionof a puzzlebecause the DoS attackers intend to exhaust the server resources. To solve the puzzle, the client finds by brute force a k-bit string zl'>kc" Message 3 from the client puzzle protocol should be enhanced before it can be used in our authentication and key establishment protocol. In message 3 of the client puzzle protocol, {zl', zl, t, k, C} is the message that needs to be passed to the server S. To authenticate the client to the server, the client produces a signature of the message using its private key, i.e. zl, t,k, C, S)}k$. Weemphasize E{h(zl' thus serves the purpose of a nonce for the server to ensure the freshness of message 3 and so the replay attack is prevented. The replay of message 4 is prevented by challenge-response technique. A long random nonce NC is generated and sent by the client to the server in message 3. It is then embedded inside the signatureof message 4 in order to assure to the client the freshness of this message. Chosen-text Attack Chosen-text attack is an attack on a challenge-responseprotocol, which is characterized by an attacker causing another entity to encrypt or decrypt chosen text using secret key of the entity. It can be classified as chosen-plaintext attack and chosenciphertext attack. The basic technique to avoid such attack is to embed in each challenge response a self-chosen random number [20]. In the proposed authentication protocol, E{Nc)ks in message 3 and E{Ns}kc in the last protocol message are the only ciphertexts produced by encryption using public keys. However, the plaintext counterpart NC and NS respectively are never transmitted in any subsequent messages, so chosen-ciphertext attack is not possible in the proposed protocol. For those ciphertexts produced by encryption using private keys, it can be easily decrypted using the corresponding public keys, so we are not interested in the chosen-ciphertext attack on this type of ciphertext. On the other hand, there are two encryption operations using private keys in messages 3 and 4. However, plaintext counterparts of these two encryptions contain a self-chosen random number, so choosing the entire plaintext in the chosen-plaintext attack is impossible. Chosen-text attack is usually employed to collect plaintext-ciphertext pairs ~ i t hthe purpose of figuring out the private key. We assume the underlying public-key cryptosystem is strong enough to resist this attack. 3.3.3
Interleaving Attack Interleaving attack refers to those attacks involving selective combination of information from one or more previous or simultaneously ongoing protocol executions (parallel sessions), including possible origination of one or more protocol executions by an adversary itself [20]. To compromise the proposed protocol using interleaving attack, the attacker must be able to derive those ciphertexts produced using the unknown private keys. In the proposed protocol, none of these ciphertexts in any of the protocol messages has the sameformat as the other three protocol messages or their components. Also, 3.3.4
none of them has a format, which is a combination of the formats of the other three messages and their components. This makes the attacker unable to derive the desirable ciphertexts in one message from the other 3 messages of our protocol for an interleaving attack.If the attacker uses the "i protocol message of a previous protocol instance as the "i protocol message in the current instance, this corresponds to the replay attack, which has been addressed in Section 3.3.2 above. Another possible mode of interleaving attack is by forced delay [20], in which an attacker intercepted the i" protocol message of one protocol instance, relayed it at some later point in time and then uses it as the "i protocol message of another protocol instance in order to achieve impersonation or other deceptions. However this is not considered as a true attack because the attacker acts only as part of the communication link between the communicating parties without altering the content and aliveness of the protocol messages [20]. 3.3.5
Others
As all the four protocol messages are asymmetric to each other, with identities of the sender and receiver embedded inside the cryptographic messages, together with the use of asymmetric keys, reflection attack 1201 is thus prevented in the proposed protocol. Besides, the man-in-the-middle attack can also be easily prevented in the protocol as this attack can be foiled by the adoption of certificate-based public-key signature [2 11. 4
Conclusions
This paper proposes a client puzzle based authentication and key establishment protocol which can effectively resist the denial-of-service attacks, and other common contemporary attacks. The integrated authentication protocol relies on our carefully designed client puzzle protocol, which can be seen as a much-enhanced version of the client puzzle proposed by Juels and Brainard [ 5 ] , to tackle the network denial-of-service attack. Our client puzzle protocol has overcome problems inherent in the proposal of Juels and Brainard. Concerning our proposed integrated authentication protocol, for each protocol execution request from a client, a unique puzzle would be generated and sent by the server to the client. The client must commit its resources to solve the puzzle before expensive computations and memory allocationswould be performed by the server. This cost of attack serves as a deterrent to the attacker in carrying out server resource exhaustion attacks. The proposed client puzzle protocol is quite flexible as the difficulty level of the puzzle can be adjusted according to the degree of availability of the server resources. This means that if the attackers manage to consume some of the server resources, the server would increase accordingly the dil3iculty level of the client puzzles which would
177
subsequently consume more resources of the attackers. Therefore, the protocol could intelligently monitor the attackers and launch counter through adjusting adaptively the puzzle difficulty level. The proposed authentication protocol remains stateless and refuses to perform expensive public-key Cryptographic computations until the solution of the client puzzle has been yerified. Thus it can resist server resource exhaustion attacks. Besides, the proposed authentication and key establishment protocol has been able to resist various common attacks. As the DoS attacks have become widely known and can easily be exploited to attack websites and various network protocols, they have created a real problem to protocol design. Protocols vulnerable to DoS attacks could be strengthened with the integration of our proposed client puzzle protocol. In addition, network protocol designers should consider integrating the proposed client puzzle protocol into their protocols to avoid being harassed by the DoS attackers.
References [l] CERT Coordination Center, “Denial of Service Attacks,” Tech Tips, June 4,2001. Available: http://www.cert.org/tech_tips/denial-of-sewice. html [2] Garber, L.,‘?)enial-of-service attacks rip the internet,” ZEEE Computer, vol. 33, Issue 4, pp. 12 -17, April 2000. [3] Jussipekka Leiwo. Pekka Nikander, Tuomas Aura, “Towards network denial of serviceresistantprotocols,”in Proceedings of the 15th Zntemational Information Security Conference @RP/SEC 2000), Beijing, Cluna,
August 2000. Kluwer. 141 CERT Coordination Center, “TCP SYN Flooding and IP Spoofing Attacks,” CERT Advisory CA-1996-21, September 19, 1996.Available: http://www.cert.org/advisories/CA-1996-21 .html [5] Ari Juels and John Brainard, “Client puzzles: A
cryptographic countermeasure against connection depletion attacks.” in Proceedings of the 1999 Network and Distributed System Security Symposium (NDSS ‘99),
pp. 151-165, SanDiego, California, February 1999. [6] Alan 0. Freier, Philip Karlton and Paul C. Kocher, “The SSL F’rotocol Version 3.0,” Internet Draft, March 1996 [7l Li Huang Ng and Tan. D.T., “A novel JavaCard-based authentication system for secured transactions on the Internet,” in Proceedings of 2000 ZEEE Zntemational Conference on Networks (ICON 2000), pp. 262-266,2000. [8] S.Hirose and K. Matsuum, “Enhancing the Resistance of a Provably Secure Key Agreement Protocol to a Denial-of-Senice Attack,” in Proceedings of the 2nd Zntemational Conference on Information and CommunicationSecurity @CZCS’99),pp.169-182, Sydney, Australia, November 1999. Springer.
191 S.Hirose and K. Matsuura, “Enhancingthe resistance of a secure key agreement protocol to a denial-of-service attack,” in Proceedings of the 1999 Symposium on Cryptogmphy and Information Security (SCZS‘99),Vol. II, pp. 899-904, Kobe, Japan, Jan. 1999. [lo] K. Matsuura and H. Imai, ‘Protection of Authenticated Key-Agreement Protocol against a Denial-of-Service Attack,” in Proceedings of I998 Zntemational Symposium on Information Theoryand ItsApplications @SZTA’98),pp. 466-470, Oct. 1998. [ll] D. Maughan, M. Schertler, M. Schneider and J. Turner, ‘7ntemet Security Association and Key Management Protocol (ISAKMP),” RFC2408, November 1998. [12] William A. Simpson, ‘‘IKEASAJSMP considered harmful,” :login: The USENZX Association Magazine, 24(6):48-58, December 1999. [13] K. Matsuura and H. Imai, “ModifiedAggressive Modes of Intemet Key Exchange Resistant against Denial-of-Service Attacks,” ZEZCE Transactions on Information and Systems, vol.E83-D, NO.5, p ~ 972-979, . May 2000. [14] P. Karn and W. Simpson, ‘Thoturis: Session-Key ManagementProtocol,” RFC2522, March 1999. [IS] Tuomas Aura and Pekka Nikander, “Stateless connections,” in Proceedings of Zntemational Conference on Information and CommunicationsSecuriy flCZCS’97),
vol. 1334 of LNCS, pp. 87-97, Beijing, China, November 1997. Springer-Verlag [161 Cynthia Dwork and Moni Naor, ‘Tric&gvia processing or combatting junk mail,” in Ernest F. Brickell, editor, Advances in Cryptology - CRYPT0 ‘92, Volume 740 of Lecture Notes in Computer Science, pp. 139-147, 16-20 August 1992. Springer-Verlag, 1993. [17] Tuomas Aura, Pekka Nikander, and Jussipekka Leiwo, “DOS-resistant authentication with client puzzles,” in Bruce Christianson, Bruno Crisp, and Mike Roe, editors, Proceedingsof the 8th Zntemational Workshopon Security Protocols, Lecture Notes in Computer Science series,
Cambridge, UK,April 2000. Springer-Verlag. [181Hans Dobbertin, “Cryptanalysis of MD4,” Fast Software Encryption, Third Zntemational B‘orkshop, Volume 1039 ofLectureNotesin ComputerScience(D. Golhann, ed.),
pp. 53-69. Springer-Verlag, 1996. [19] T.Coffey, and P.Saidha, “Logic for verifying public-key cryptographicprotocols,” LEE Proceedings in Computers and Digital Techniques, vol. 144, Issue 1, pp. 28-32, January 1997. [20] Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone,Handbook ofApplied Cryptogmp@,CRC Press, 1997. [21J Dong Hwi Seo and P. Sweeney, “Simpleauthenticatedkey agreementalgorithm,” EEElectronics Lerters, vol. 35 No. 13, June 1999.
178
